Confidential — Prepared for Brightwater Care Group
Secure AI
in Aged Care
How Cloudflare enables AI-powered productivity
with enterprise security — built for aged care.
Australian Regulatory Context
The Aged Care Landscape
Has Changed Permanently
Aged Care Act 2024
Commenced 1 November 2025
Replaced 1997 legislation. Now rights-based, provider-accountable, and audit-driven.
7 Strengthened Quality Standards
Standard 2 (The Organisation) creates board-level accountability for risk management, information governance, and incident response.
Registration Renewed Every 3 Years
ACQSC audits against all Standards. A cyber incident disrupting care delivery = direct audit risk.
Privacy Act Penalty Uplift
Up to AUD $50 million or 30% of turnover for serious breaches. Health records = sensitive information.
International Signals
What Overseas Regulators Tell Us
Is Coming to Australia
United Kingdom
NHS WannaCry (2017)
80,000+ devices infected. CQC now includes cyber resilience as a provider registration criterion. Lesson: cyber failure = care failure.
United States
Change Healthcare (Feb 2024)
100M patient records. $22B company crippled. HHS now mandating cyber standards for all healthcare entities receiving Medicare.
Australia
Medibank (Oct 2022)
9.7M health records exposed. ASD/ACSC flagged health as priority sector. SOCI Act expanded to cover health data processors.
The pattern is clear: international regulators move from voluntary guidance to mandatory cyber requirements within 2–3 years of a major incident. Australia is on the same trajectory.
Standard 2 & SIRS
The Governance Obligations Most
Providers Have Underestimated
Standard 2 — The Organisation requires providers to:
Use a risk management system — cyber risk is explicitly organisational risk under the Act.
Use an incident management system — must capture, analyse and respond to incidents systematically.
Manage older people's information correctly — access controls, data integrity, breach protocols.
Plan for emergencies and disasters — includes technology outages that disrupt care delivery.
SIRS — The Hidden Digital Risk
The Serious Incident Response Scheme requires mandatory reporting of incidents that affect older people's safety.
What most providers haven't connected:
A ransomware attack that locks clinical records, disrupts medication management, or forces a facility closure triggers SIRS obligations — not just an IT incident.
Threat Reality
Aged Care is a Prime Target — The Data is Unambiguous
Why Aged Care is Targeted
- High-value patient data commands premium on dark web
- Time pressure — disrupted care is life-critical, ransom paid faster
- Distributed multi-site workforce = larger attack surface
- High staff turnover = credential hygiene challenges
What a Cyber Incident Means for Brightwater
- Clinical records unavailable → medication errors
- Care rostering offline → staff allocation breakdown
- Resident portal down → family communication severed
- SIRS reporting obligation triggered immediately
The Gap
A Cyber Incident Is No Longer
Just an IT Problem
The traditional view:
Cyber incident → IT restores backup → business continues
Notify insurer → manage internally → no external obligation
Board learns about it weeks later in a report
Under the Aged Care Act 2024:
Cyber incident disrupts care → SIRS reportable event triggered
ACQSC notified → potential registration audit accelerated
Standard 2 governance failure + Privacy Act breach = AUD $50M exposure
The Solution
What Zero Trust Means
for Aged Care — Practically
Never Trust, Always Verify
Every staff member — permanent, casual, contractor — verified on every access request. No implicit trust based on network location.
Secure Across All Sites
Whether staff are in a Brightwater residential facility, doing home care visits, or working remotely — same security policy enforced everywhere.
Patient Data Stays Protected
DLP policies prevent sensitive health records from leaving your environment via email, upload, or AI prompts. Copilot included.
Versus Legacy VPN
VPN grants full network access once connected. Zero Trust grants access only to the specific application needed — nothing more.
Safe AI Use — Not a Blocked AI
Microsoft Copilot, ChatGPT, and other AI tools can be allowed and governed — not blindly blocked. Cloudflare Gateway inspects prompts, enforces DLP, and logs AI interactions for compliance audit trails.
Cloudflare One — Mapped to Your Obligations
How Cloudflare Addresses
Standard 2 and SIRS Requirements
Access — Identity & MFA
Meets Standard 2 information management obligation
Enforce MFA for all staff. Role-based access to clinical systems. Full audit log of who accessed what and when.
Gateway — Threat Prevention
Meets Standard 2 risk management & disaster planning obligation
Block ransomware C2 domains, phishing, and malware before they reach staff devices — on any network.
DLP & CASB — Data Protection
Meets Privacy Act APP 11 (security of health information) obligation
Detect and block sensitive health data leaving via email, cloud uploads, or AI prompts. Works with Microsoft 365.
Magic WAN — Network Segmentation
Meets Standard 2 incident management & continuity obligation
Connect all Brightwater sites on a secure overlay network. Segment clinical systems from admin. Stop lateral movement.
Cloudflare One — 330+ cities, 500 Tbps network, within 50ms of 95% of the internet-connected population
Behind the Scenes
How This Deck Was Built —
AI + MCP + Cloudflare Security
OpenCode (Claude) orchestrates
MCP Tools Used for This Presentation
Zero Trust, DLP, Gateway capabilities
APAC compliance, threat landscape, healthcare case studies
Standard 2, SIRS obligations
Aged Care Act 2024 detail
ASD Essential Eight guidance
Brand, logo, context
This is not just a chatbot. This is AI orchestration with enterprise security — the same capabilities available to Brightwater.
Next Steps
Where Do We Go From Here?
Security Assessment
A no-obligation review of Brightwater's current security posture mapped against Standard 2 obligations and Essential Eight maturity.
AI Use Case Workshop
Explore where AI can generate the most value for Brightwater — clinical documentation, scheduling, resident insights — with security guardrails designed in from day one.
Proof of Concept
Deploy Cloudflare One to a pilot group of Brightwater staff — demonstrate Zero Trust access, Gateway threat protection, and DLP for health data in your environment.
Your Cloudflare SE
Jason Clarke
jclarke@cloudflare.com
Helping build a better internet